I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.

However, as soon as I tried to copy the dump to my Kali machine, Defender jumped into action, prohibited access to the LSASS dump, and removed the file to the quarantine. And here is the catch.

I browsed to the following folder:
C:\ProgramData\Microsoft\Windows Defender\Quarantine

In the ResourceData folder, you will find different sub-folders (or not, if Defender never quarantined something on that host), each folder containing a quarantine file.

The files are encrypted with a static key that leaked years ago, and this 10-year-old code snippet is still sufficient to decrypt the files back to their original state. [2]

Long story short: I copied the encrypted file to my Kali machine, decrypted it using the Python code from [2], and extracted the credentials and hashes with pypykatz. [3]

Classic example of "No, it's not enough when your AV blocked or removed a threat". As you can see, an attacker can easily get the LSASS dump, even if Defender removed it from the disk ¯\_(ツ)_/¯

[1 ]https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
[2] https://raw.githubusercontent.com/malmoeb/DFIR/refs/heads/master/quarantine.py
[3] https://github.com/skelsec/pypykatz

An einem internen Kritiker der M365-Migration hat der Luzerner Regierungsrat allerdings nicht festgehalten. Das Online-Magazin Republik berichtet, der "Chief Information Security Officer (CISO) des Kantons sei wegen seiner Bedenken zum zeitlichen Fahrplan von Microsoft 365" Anfang Juni freigestellt worden.

Der IT-Sicherheitschef habe den Luzerner Regierungsrat darauf hingewiesen, "dass der Kanton die erforderlichen Hausaufgaben zur IT-Sicherheit rund um das Projekt Microsoft Cloud noch nicht erfüllt habe, was wiederum verschiedene Quellen der Republik bestätigt haben". Der CISO trat deshalb auf die Bremse. Doch die Kantonsregierung bestand auf ihrem Zeitplan, stattdessen musste laut Republik der Kritiker seinen Platz räumen.

"Bis heute hat das zuständige Finanzdepartement weder intern noch öffentlich über die Personalie informiert", schreibt das Medium. Der IT-Sicherheitschef selbst war für eine Stellungnahme nicht erreichbar, so das Magazin, die Kantonsregierung dementierte derweil: "Der Weggang hat keinen Zusammenhang mit der Einführung von Microsoft 365 beim Kanton Luzern".

https://www.heise.de/news/Schweizer-Kanton-feuert-CISO-im-Streit-um-Nutzung-der-Microsoft-Cloud-10451987.html

Google's Threat Intelligence Group and the Citizen Lab each issued reports on a highly customized attack against email accounts of Keir Giles, a Russia expert based in the U.K.

https://therecord.media/keir-giles-russia-expert-email-attack-gtig-citizen-lab-reports

39 hours of digging through ruins.

Kyiv rescue crews have ended operations after one of Russia’s largest strikes.
A missile hit a 9-story building on Tuesday.

📍 23 bodies recovered at the site
📍 28 killed across the city
📍 140+ injured

Photo Suspilne, Hromadske

This might be a niche persistence mechanism, but during an investigation, I stumbled upon the following file on a Linux server:

/home/<user>/.config/autostart/set_trusted.desktop

With the following content:

[Desktop Entry]
Encoding=UTF-8
Exec=/usr/bin/set_trusted.sh
Name=Set trusted
Comment=Set desktop file trusted
Terminal=false
OnlyShowIn=GNOME
Type=Application
X-GNOME-Autostart-enabled=true

Do you spot the "exec" command? An attacker could replace the legitimate path to the "set_trusted.sh" file with an arbitrary file, thereby (potentially?) gaining code execution whenever the user logs in.

I don't know how widespread that feature is, and how many distributions are supporting it (Nautilus?), but maybe it will come in handy for someone :)

Just updated my diagram of Trump’s crypto entanglements based on his most recent financial disclosures 😵‍💫

Full-size image: https://storage.mollywhite.net/trump-family-crypto-projects.png
Disclosures: https://oge.app.box.com/s/k0hxcezgk7j1cyqoue16cillsi9srmfu

#crypto #cryptocurrency #USpolitics #USpol

Quote: "In less than three months' time, almost no civil servant, police officer or judge in Schleswig-Holstein will be using any of Microsoft's ubiquitous programs at work. […] The current first phase involves ending the use of Word and Excel software […]. Over the next few years, there will also be a switch to the Linux operating system in order to complete the move away from Windows."

https://www.france24.com/en/live-news/20250613-we-re-done-with-teams-german-state-hits-uninstall-on-microsoft

1/2

#EU_OS #GermanStack #EuroStack